From 7fed35a408b9ec37454169425823785b5fc8978b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 24 Aug 2017 02:22:17 +0200 Subject: Refactor base installation module --- modules/base_installation/manifests/cronie.pp | 21 +++++++++ modules/base_installation/manifests/firewall.pp | 20 +++++++++ modules/base_installation/manifests/grub.pp | 21 +++++++++ modules/base_installation/manifests/init.pp | 21 +++++++++ .../base_installation/manifests/kernel_modules.pp | 11 +++++ modules/base_installation/manifests/locales.pp | 37 ++++++++++++++++ modules/base_installation/manifests/logs.pp | 36 ++++++++++++++++ .../manifests/package_managers.pp | 25 +++++++++++ modules/base_installation/manifests/packages.pp | 10 +++++ modules/base_installation/manifests/params.pp | 21 +++++++++ modules/base_installation/manifests/services.pp | 50 ++++++++++++++++++++++ modules/base_installation/manifests/ssh.pp | 14 ++++++ .../base_installation/manifests/system_config.pp | 21 +++++++++ modules/base_installation/manifests/users.pp | 49 +++++++++++++++++++++ 14 files changed, 357 insertions(+) create mode 100644 modules/base_installation/manifests/cronie.pp create mode 100644 modules/base_installation/manifests/firewall.pp create mode 100644 modules/base_installation/manifests/grub.pp create mode 100644 modules/base_installation/manifests/init.pp create mode 100644 modules/base_installation/manifests/kernel_modules.pp create mode 100644 modules/base_installation/manifests/locales.pp create mode 100644 modules/base_installation/manifests/logs.pp create mode 100644 modules/base_installation/manifests/package_managers.pp create mode 100644 modules/base_installation/manifests/packages.pp create mode 100644 modules/base_installation/manifests/params.pp create mode 100644 modules/base_installation/manifests/services.pp create mode 100644 modules/base_installation/manifests/ssh.pp create mode 100644 modules/base_installation/manifests/system_config.pp create mode 100644 modules/base_installation/manifests/users.pp (limited to 'modules/base_installation/manifests') diff --git a/modules/base_installation/manifests/cronie.pp b/modules/base_installation/manifests/cronie.pp new file mode 100644 index 0000000..bcdd9a7 --- /dev/null +++ b/modules/base_installation/manifests/cronie.pp @@ -0,0 +1,21 @@ +class base_installation::cronie inherits base_installation { + ensure_packages(['cronie']) + + unless empty($base_installation::puppet_code_path) { + file { 'post-hook': + ensure => file, + path => "$base_installation::puppet_code_path/.git/hooks/post-merge", + source => 'puppet:///modules/base_installation/cronie/puppet-post-merge', + mode => '0755', + owner => root, + group => root, + } + cron { 'puppet-apply': + ensure => present, + command => "cd $base_installation::puppet_code_path ; /usr/bin/git pull", + user => root, + minute => '*/30', + require => File['post-hook'], + } + } +} diff --git a/modules/base_installation/manifests/firewall.pp b/modules/base_installation/manifests/firewall.pp new file mode 100644 index 0000000..12eeac2 --- /dev/null +++ b/modules/base_installation/manifests/firewall.pp @@ -0,0 +1,20 @@ +class base_installation::firewall inherits base_installation { + ensure_packages(["whois"], { 'install_options' => '--asdeps' }) + + class { 'fail2ban': + logtarget => 'SYSLOG', + backend => 'systemd' + } + + fail2ban::jail { 'sshd': + backend => 'systemd', + port => 'ssh', + filter => 'sshd', + maxretry => 10, + bantime => 86400, + logpath => '', + order => 10 + } + + contain "fail2ban" +} diff --git a/modules/base_installation/manifests/grub.pp b/modules/base_installation/manifests/grub.pp new file mode 100644 index 0000000..0a96aa7 --- /dev/null +++ b/modules/base_installation/manifests/grub.pp @@ -0,0 +1,21 @@ +class base_installation::grub inherits base_installation { + ensure_packages(['grub']) + + # unless empty($base_installation::grub_device) { + # exec { 'install GRUB': + # command => "/usr/bin/grub-install --target=i386-pc $base_installation::device", + # subscribe => Package["grub"], + # } + # } + + file_line { "/etc/default/grub#GRUB_CMDLINE_LINUX": + path => "/etc/default/grub", + line => 'GRUB_CMDLINE_LINUX=" console=tty0 console=ttyS0,115200"', + match => '^GRUB_CMDLINE_LINUX=' + } + + # exec { 'update GRUB config': + # command => "/usr/bin/grub-mkconfig -o /boot/grub/grub.cfg", + # refreshonly => true + # } +} diff --git a/modules/base_installation/manifests/init.pp b/modules/base_installation/manifests/init.pp new file mode 100644 index 0000000..65c5178 --- /dev/null +++ b/modules/base_installation/manifests/init.pp @@ -0,0 +1,21 @@ +class base_installation ( + Optional[String] $grub_device = $base_installation::params::grub_device, + Optional[String] $puppet_code_path = $base_installation::params::puppet_code_path, + Optional[String] $system_hostname = $base_installation::params::system_hostname, + Optional[Array[String]] $system_locales = $base_installation::params::system_locales, + Optional[String] $system_timezone = $base_installation::params::system_timezone, + Optional[Array[Hash]] $system_users = $base_installation::params::system_users, +) inherits base_installation::params { + contain ::base_installation::packages + contain ::base_installation::locales + contain ::base_installation::system_config + contain ::base_installation::kernel_modules + contain ::base_installation::grub + contain ::base_installation::firewall + contain ::base_installation::logs + contain ::base_installation::cronie + contain ::base_installation::ssh + contain ::base_installation::services + contain ::base_installation::users + contain ::base_installation::package_managers +} diff --git a/modules/base_installation/manifests/kernel_modules.pp b/modules/base_installation/manifests/kernel_modules.pp new file mode 100644 index 0000000..afeb30c --- /dev/null +++ b/modules/base_installation/manifests/kernel_modules.pp @@ -0,0 +1,11 @@ +class base_installation::kernel_modules inherits base_installation { + file { '/etc/modprobe.d/pcspkr_no_autoload.conf': + ensure => "present", + path => "/etc/modprobe.d/pcspkr_no_autoload.conf", + source => 'puppet:///modules/base_installation/kernel_modules/pcspkr_no_autoload.conf', + mode => "0644", + owner => "root", + group => "root" + } + +} diff --git a/modules/base_installation/manifests/locales.pp b/modules/base_installation/manifests/locales.pp new file mode 100644 index 0000000..0f31e0b --- /dev/null +++ b/modules/base_installation/manifests/locales.pp @@ -0,0 +1,37 @@ +class base_installation::locales inherits base_installation { + # Note: we don't care about other lines, they are not handled in + # Puppet + define locale_line ($locale, $charmap = 'UTF-8') { + file_line { "/etc/locale.gen#$locale": + path => '/etc/locale.gen', + line => "$locale $charmap ", + match => "#?$locale $charmap +$", + notify => Exec["/usr/bin/locale-gen"], + } + } + + unless empty($base_installation::system_locales) { + $base_installation::system_locales.each |$locale| { + base_installation::locales::locale_line { "/etc/locale.gen#$locale": + locale => $locale + } + } + + $main_locale = $base_installation::system_locales[0] + exec { "set_main_locale": + command => "/usr/bin/systemd-firstboot --locale=$main_locale", + creates => "/etc/locale.conf", + } + } + + exec { '/usr/bin/locale-gen': + refreshonly => true, + } + + + file { "/etc/vconsole.conf": + ensure => "link", + target => "/dev/null", + } + +} diff --git a/modules/base_installation/manifests/logs.pp b/modules/base_installation/manifests/logs.pp new file mode 100644 index 0000000..558182f --- /dev/null +++ b/modules/base_installation/manifests/logs.pp @@ -0,0 +1,36 @@ +class base_installation::logs inherits base_installation { + class { '::logrotate': + manage_cron_daily => false, + config => { + rotate_every => 'week', + rotate => 4, + create => true, + compress => true, + olddir => '/var/log/old', + tabooext => "+ .pacorig .pacnew .pacsave", + } + } + + logrotate::rule { 'wtmp': + path => '/var/log/wtmp', + rotate_every => 'month', + create => true, + create_mode => '0664', + create_owner => 'root', + create_group => 'utmp', + rotate => 1, + minsize => '1M', + } + logrotate::rule { 'btmp': + path => '/var/log/btmp', + missingok => true, + rotate_every => 'month', + create => true, + create_mode => '0600', + create_owner => 'root', + create_group => 'utmp', + rotate => 1, + } + + contain "::logrotate" +} diff --git a/modules/base_installation/manifests/package_managers.pp b/modules/base_installation/manifests/package_managers.pp new file mode 100644 index 0000000..c5c8485 --- /dev/null +++ b/modules/base_installation/manifests/package_managers.pp @@ -0,0 +1,25 @@ +class base_installation::package_managers inherits base_installation { + file { '/etc/pacman.d/mirrorlist': + ensure => "present", + path => "/etc/pacman.d/mirrorlist", + source => 'puppet:///modules/base_installation/package_managers/mirrorlist', + mode => "0644", + owner => "root", + group => "root" + } + + class { 'pacman': + color => true, + usesyslog => true, + } + + pacman::repo { 'multilib': + order => 15, + include => '/etc/pacman.d/mirrorlist' + } + + class { 'aur': } + + contain "pacman" + contain "aur" +} diff --git a/modules/base_installation/manifests/packages.pp b/modules/base_installation/manifests/packages.pp new file mode 100644 index 0000000..b0824ad --- /dev/null +++ b/modules/base_installation/manifests/packages.pp @@ -0,0 +1,10 @@ +class base_installation::packages inherits base_installation { + # Preinstalled + ensure_packages(['base']) + + # Critical packages + ensure_packages(['openssh', 'grub', 'sudo']) + + # Puppet dependencies + ensure_packages(['git', 'puppet']) +} diff --git a/modules/base_installation/manifests/params.pp b/modules/base_installation/manifests/params.pp new file mode 100644 index 0000000..5f2e298 --- /dev/null +++ b/modules/base_installation/manifests/params.pp @@ -0,0 +1,21 @@ +class base_installation::params { + $puppet_code_path = "/etc/puppetlabs/code" + $grub_device = "/dev/sda" + $system_hostname = "new.immae.eu" + $system_locales = ["fr_FR.UTF-8", "en_US.UTF-8"] + $system_timezone = "Europe/Paris" + $system_users = [ + { + userid => 1000, + username => "immae", + groups => ["wheel"], + keys => [ + { + host => "immae.eu", + key => "AAAAB3NzaC1yc2EAAAADAQABAAABAQDi5PgLBwMRyRwzJPnSgUyRAuB9AAxMijsw1pR/t/wmxQne1O5fIPOleHx+D8dyZbwm+XkzlcJpgT0Qy3qC9J8BPhshJvO/tA/8CI/oS/FE0uWsyACH1DMO2dk4gRRZGSE9IuzDMRPlnfZ3n0tdsPzzv3GH4It/oPIgsvkTowKztGLQ7Xmjr5BxzAhXcIQymqA0U3XWHSdWvnSRDaOFG0PDoVMS85IdwlviVKLnV5Sstb4NC/P28LFfgvW8DO/XrOqujgDomqTmR41dK/AyrGGOb2cQUMO4l8Oa+74aOyKaB61rr/rJkr+wCbEttkTvgFa6zZygSk3edfiWE2rgn4+v", + key_type => "ssh-rsa" + } + ] + } + ] +} diff --git a/modules/base_installation/manifests/services.pp b/modules/base_installation/manifests/services.pp new file mode 100644 index 0000000..b48c3b5 --- /dev/null +++ b/modules/base_installation/manifests/services.pp @@ -0,0 +1,50 @@ +class base_installation::services inherits base_installation { + + service { "sshd": + #ensure => "running", + enable => true, + } + + service { "systemd-networkd": + #ensure => "running", + enable => true, + } + + service { "systemd-resolved": + #ensure => "running", + enable => true, + } + + service { "cronie": + #ensure => "running", + enable => true, + } + + file { '/etc/systemd/system/getty@tty1.service.d/': + ensure => "directory", + path => "/etc/systemd/system/getty@tty1.service.d/", + mode => "0755", + owner => "root", + group => "root" + } + + file { '/etc/systemd/system/getty@tty1.service.d/noclear.conf': + ensure => "present", + path => "/etc/systemd/system/getty@tty1.service.d/noclear.conf", + source => 'puppet:///modules/base_installation/services/getty_conf_override.conf', + recurse => true, + mode => "0644", + owner => "root", + group => "root" + } + + file { '/etc/systemd/network/en-dhcp.network': + ensure => "present", + path => "/etc/systemd/network/en-dhcp.network", + source => 'puppet:///modules/base_installation/services/en-dhcp.network', + mode => "0644", + owner => "root", + group => "root" + } + +} diff --git a/modules/base_installation/manifests/ssh.pp b/modules/base_installation/manifests/ssh.pp new file mode 100644 index 0000000..43769e9 --- /dev/null +++ b/modules/base_installation/manifests/ssh.pp @@ -0,0 +1,14 @@ +class base_installation::ssh inherits base_installation { + class { 'ssh::server': + storeconfigs_enabled => false, + options => { + 'AcceptEnv' => undef, + 'X11Forwarding' => 'yes', + 'PrintMotd' => 'no', + 'ChallengeResponseAuthentication' => 'no', + 'Subsystem' => 'sftp /usr/lib/openssh/sftp-server', + } + } + + contain "ssh::server" +} diff --git a/modules/base_installation/manifests/system_config.pp b/modules/base_installation/manifests/system_config.pp new file mode 100644 index 0000000..f3325f4 --- /dev/null +++ b/modules/base_installation/manifests/system_config.pp @@ -0,0 +1,21 @@ +class base_installation::system_config inherits base_installation { + unless empty($base_installation::system_timezone) { + file { "/etc/localtime": + ensure => "link", + target => "../usr/share/zoneinfo/$base_installation::system_timezone" + } + } + + unless empty($base_installation::system_hostname) { + file { '/etc/hostname': + content => "$base_installation::system_hostname\n", + } + + # TODO: find a way to ensure that /etc/hostname doesn't change + # exec { "set_hostname": + # command => "/usr/bin/systemd-firstboot --hostname=$base_installation::system_hostname", + # creates => "/etc/hostname", + # } + } + +} diff --git a/modules/base_installation/manifests/users.pp b/modules/base_installation/manifests/users.pp new file mode 100644 index 0000000..766c0f0 --- /dev/null +++ b/modules/base_installation/manifests/users.pp @@ -0,0 +1,49 @@ +class base_installation::users ( + $users = $base_installation::system_users, +) inherits base_installation { + ensure_packages('ruby-shadow') + user { 'root': + password => '!' + } + + class { 'sudo': + config_file_replace => false, + # Missing in the sudo package, should no be mandatory + package_ldap => false + } + + sudo::conf { 'wheel': + priority => 10, + content => "%wheel ALL=(ALL) ALL" + } + + contain "sudo" + + $users.each |$user| { + user { "${user[username]}:${user[userid]}": + name => $user[username], + uid => $user[userid], + ensure => "present", + groups => $user[groups], + managehome => true, + home => "/home/${user[username]}", + notify => Exec["remove_password"], + purge_ssh_keys => true + } + + exec { "remove_password": + command => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}", + refreshonly => true + } + + $user[keys].each |$key| { + ssh_authorized_key { "${user[username]}@${key[host]}": + name => "${user[username]}@${key[host]}", + user => $user[username], + type => $key[key_type], + key => $key[key], + } + } + } + +} -- cgit v1.2.3